When attacks against companies are described, frequently the targets are said to be either individual end users or large enterprises. Many targets of cybercrime, however, are small businesses. In this post, we’ll look at how small business in Taiwan are attacked and what lessons others can take from these events.

Many small businesses in Taiwan run their Web server from inside their own networks, without much awareness about how to secure them properly. They’re primarily concerned with running their business, which makes their insecure servers a prime target for attacks.

Let’s look at a recent case which is a good example of how these attacks work. On May 30, our assistance was requested after an unidentified company (which we’ll call Company A) was hit by denial of service attacks that interrupted access to their servers.

What we found was another problem entirely. We found that their web server had been compromised, using a vulnerability in their web server. Because, as noted earlier, this web server also had access to Company A’s internal network, the attackers had taken control over the company’s Active Directory servers as well. We were also able to confirm that at least two separate attackers were at work: one was active before April 24, the other after that date.

Figure 1. Timeline of Attacks

The behavior of this threat was not particularly unusual – these behaviors are all commonplace when a network has been breached. In addition, the attackers keep adding tools through their backdoors continuously.

Many businesses would simply reinstall and rebuild their systems so they can get back to work, but this wouldn’t solve the problem. Because the root of the problem – the vulnerable and insecure web server – has not been addressed, the attacker can simply go ahead and plant backdoors into the target’s networks again and again.

Figure 2: Continuing attacks

There are many ways to plant backdoors onto a network. One can use either remote access tools (legitimate or otherwise), vulnerabilities, and embedded scripts (for starters). Many of these can be difficult to detect and remove. In this case, we even found that uploaded images (for user avatars) could be used to inject scripts that the web server would then run.

This attack was made possible because of some rather insecure procedures that some SMBs use. Hosting a web server within your own network exposes a business to serious risks (as happened here). It’s much safer for a small business to use some sort of managed hosting for their sites.

However, on one level, this insecurity is understandable. Businesses see the opportunities of new technology, but are often blind to the security risks. They feel the need to compete with larger enterprises when it comes to the tools they use – but don’t have the resources to match their competitors. Efficiency and cost-effectiveness are the order of the day – and, unfortunately, security can fall by the wayside.

While the specific lessons of this attack may only apply to some businesses, the larger is lesson is clear: tempting as technological improvements can be, security has to be considered as well. It’s dangerous – and irresponsible – to put in place new tools without considering how they can be secured. Otherwise, businesses expose themselves to being compromised repeatedly.

Share this article

This entry was posted
on
Tuesday, July 23rd, 2013
at
8:48 am and is filed under
Bad Sites, Malware .
Both comments and pings are currently closed.

Robert

I’m sure I’m under threat. I recently discovered a website I built a couple of years ago is being used by someone (a company) I don’t know, it still contains a link to my website. They’ve added an extra logo, removed the ‘about us’ and ‘ contact us’ links pages as they now appear as a blank screen, but left the link to me at the bottom of the page with the copyright sign
Since I’ve been on the receiving end of a lot of suspicious activity recently and reported this to the authorities, should I be more conerned than I already am?

Jank

What are the susipcious activities that you face? Any private data are kept in the duplicated site?